diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2021-05-19 13:41:50 -0700 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2021-06-26 07:12:32 +0200 |
commit | 1fa20d7d4aad02206e84b74915819fbe9f81dab3 (patch) | |
tree | a1e1277f8b18d361a44ab671e47d06325c84eaec /net/bluetooth/l2cap_core.c | |
parent | 1c58e933aba23f68c0d3f192f7cc6eed8fabd694 (diff) | |
download | linux-1fa20d7d4aad02206e84b74915819fbe9f81dab3.tar.gz linux-1fa20d7d4aad02206e84b74915819fbe9f81dab3.tar.bz2 linux-1fa20d7d4aad02206e84b74915819fbe9f81dab3.zip |
Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails
The use of l2cap_chan_del is not safe under a loop using
list_for_each_entry.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/l2cap_core.c')
-rw-r--r-- | net/bluetooth/l2cap_core.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 7d975cf98c20..f3b70fa348ab 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -6248,7 +6248,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) { - struct l2cap_chan *chan; + struct l2cap_chan *chan, *tmp; struct l2cap_ecred_conn_rsp *rsp = (void *) data; u16 result; @@ -6262,7 +6262,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn, if (!result) return 0; - list_for_each_entry(chan, &conn->chan_l, list) { + list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { if (chan->ident != cmd->ident) continue; |